https://bugzilla.redhat.com/show_bug.cgi?id=1036780
Bug ID: 1036780
Summary: rabbitmq-server wrapper script drops arguments
Product: Fedora
Version: rawhide
Component: rabbitmq-server
Assignee: hubert.plociniczak(a)gmail.com
Reporter: rhbugs(a)rbu.sh
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
hubert.plociniczak(a)gmail.com, lemenkov(a)gmail.com
Description of problem:
the wrapper script /usr/sbin/rabbitmqctl drops all arguments to the command in
certain cases, for example when the calling user is not root.
I am running a rabbitmq node as a local user (for development) as a regular
user, outside of /var. This works fine, however the Fedora-specific wrapper to
"rabbitctl" will obscure access to the rabbitctl script. It took me quite a
while to debug what was happening, until I found out the command is really a
wrapper whose sole purpose is munging arguments -- and it does it wrong.
Version-Release number of selected component (if applicable):
I am on 3.1.5-1.fc19 but I see the same bug in rawhide.
How reproducible:
Always.
Steps to Reproduce:
1. Be non-root / non-rabbitmq user
2. Run rabbitmqctl status
Actual results:
Error: could not recognise command
Usage:
rabbitmqctl [-n <node>] [-q] <command> [<command options>]
...
Expected results:
Status of node rabbit@localhost ...
[{pid,1234},...
Additional info:
The warning "Only root or rabbitmq should run" should really be "Only root or
rabbitmq must run", as currently it makes it impossible for anyone else.
However, this is not true, as any user *can* run rabbitmq.
Furthermore, users in the rabbitmq group should be able to run management
commands, given the correct parameters.
Lastly, the "rabbitmq-plugins" case looks fishy too, as it allows anyone to run
the rabbitmq-plugins command, and makes the first line obsolete.
--
You are receiving this mail because:
You are on the CC list for the bug.

https://bugzilla.redhat.com/show_bug.cgi?id=1082171
Bug ID: 1082171
Summary: CVE-2014-2668 couchdb: remote denial of service flaw
[epel-all]
Product: Fedora EPEL
Version: el6
Component: couchdb
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: extras-orphan(a)fedoraproject.org
Reporter: vdanen(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: erlang(a)lists.fedoraproject.org,
extras-orphan(a)fedoraproject.org
Blocks: 1082168 (CVE-2014-2668)
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple supported versions of Fedora EPEL.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1082168
[Bug 1082168] CVE-2014-2668 couchdb: remote denial of service flaw
--
You are receiving this mail because:
You are on the CC list for the bug.